History of Phishing

As widespread and well-known as phishing is now, it hasn’t been around forever. Although the practice originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later.

That doesn’t mean that phishing was not a force to be reckoned with right from the start. In order to avoid falling prey to such scams yourself, it is helpful to have a basic understanding of the history behind them.

Name Origins

Phishing scams use spoofed emails and websites as lures to prompt people to voluntarily hand over sensitive information. It isn’t surprising, then, that the term “phishing” is commonly used to describe these ploys. There is also a good reason for the use of “ph” in place of the “f” in the spelling of the term. Some of the earliest hackers were known as phreaks. Phreaking refers to the exploration, experimenting and study of telecommunication systems. Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities.

First Recorded Mention

According to Internet records, the first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. It is fitting that it was made there too; America Online is where the first rumblings of what would become a major criminal issue would take place.

Phishing’s America Online Origins

Back when America Online (AOL) was the number-one provider of Internet access, millions of people logged on to the service each day. Its popularity made it a natural choice for those who had less than pure motives. From the beginning, hackers and those who traded pirated software used the service to communicate with one another. This community was referred to as the warez community. It was this community that eventually made the first moves to conduct phishing attacks.

The first way in which phishers conducted attacks was by stealing users' passwords and using algorithms to create randomized credit card numbers. While lucky hits were few and far between, they struck the jackpot often enough to cause a lot of damage. The random credit card numbers were used to open AOL accounts. Those accounts were then used to spam other users and for a wide range of other things. Special programs like AOHell were used to simplify the process. This practice was put to an end by AOL in 1995, when the company created security measures to prevent the successful use of randomly generated credit card numbers.

Phishing Attacks Begin

With their random credit card number generating racket shut down, phishers created what would become a very common and enduring set of techniques. Through the AOL instant messenger and email systems, they would send messages to users while posing as AOL employees.

Those messages would request users to verify their accounts or to confirm their billing information. More often than not, people fell for the ruse; after all, nothing like it had ever been done before. The problem intensified when phishers set up AIM accounts through the Internet; such accounts could not be “punished” by the AOL TOS department. Eventually, AOL was forced to include warnings on its email and instant messenger clients to keep people from providing sensitive information through such methods.

The Evolution of Phishing

In many ways, phishing hasn’t changed a lot since its AOL heyday. In 2001, however, phishers turned their attention to online payment systems. Although the first attack, which was on E-Gold in June 2001, was not considered to be successful, it planted an important seed. In late 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and PayPal if you weren't paying attention. They used email worm programs to send out spoofed emails to PayPal customers. Those customers were led to spoofed sites and asked to update their credit card details and other identifying information.

By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. Popup windows were used to acquire sensitive information from victims. Since that time, many other sophisticated methods have been developed. They all boil down to the same basic concept, though, and it is safe to say that this concept has proved to be quite effective.